MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350
SHA3-384 hash: 97e29340418a9836118b6db2782c21514f64fc1f45216cb1b725d747ad875ac2c48e07c557a391d4268824f0a73db355
SHA1 hash: 3df81eab4d40cb86e367a43e1a71678a85241ab7
MD5 hash: f176b4b5967a9bc7b41cdf6976d7a180
humanhash: yankee-bravo-texas-romeo
File name:file
Download: download sample
File size:94'720 bytes
First seen:2026-01-15 20:39:44 UTC
Last seen:2026-01-20 11:50:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 77 x LummaStealer, 62 x Rhadamanthys)
ssdeep 1536:Trae78zjORCDGwfdCSog01313Ws5gfyCAbWCbT5:ZahKyd2n31P5SXRCB
TLSH T15A93191A53F620BBE4B6577999F202539A3179B15B7A96FF22C4C0BC0F236C0A531B17
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:c dropped-by-gcleaner exe PMIX3.file


Avatar
Bitsight
url: http://194.38.20.224/service

Intelligence

File Origin
# of uploads :
35
# of downloads :
165
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/0b835a45-0218-4b3f-8fb5-ad6ce76c05fb/
Malware family:
n/a
ID:
1
File name:
_4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350.exe
Verdict:
Malicious activity
Analysis date:
2026-01-15 20:41:40 UTC
Tags:
loader reverseloader ta558 apt payload stegocampaign auto-reg
Link:
https://app.any.run/tasks/b2a2d376-7890-4714-bb56-91b04257e052

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49046/
Detection(s):
TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696950b357243ef151cd6cd3
Tags:
xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context base64 CAB installer installer installer-heuristic lolbin microsoft_visual_cc obfuscated overlay powershell rundll32 runonce sfx wscript
Link:
https://www.filescan.io/uploads/696950aefdafd7624aae78b5/reports/0b324804-e6b9-4376-87aa-e8d6105a0682/overview
Verdict:
Malicious
Labled as:
Trojan/Generic
Link:
https://www.hybrid-analysis.com/sample/4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-15T17:53:00Z UTC
Last seen:
2026-01-15T20:25:00Z UTC
Hits:
~100
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.VBS.SAgent.gen Trojan-Downloader.Agent.HTTP.ServerRequest Trojan.Agentb.TCP.C&C Trojan-Downloader.PowerShell.NanoShield.sb HEUR:Trojan.Multi.Stego.gen Trojan-Downloader.Win64.Alien.dtw Trojan-Downloader.SLoad.TCP.ServerRequest HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/004d0144-7cd3-46dc-988f-50c85b128788
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350/
Verdict:
Malicious
Threat:
Trojan-Downloader.PowerShell.NanoShield
Link:
https://tip.neiki.dev/file/4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-15 20:40:21 UTC
File Type:
PE+ (Exe)
Extracted files:
18
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iiuoaqgqkoqbld5xafl4opls7r2aeyz4p7dactg5kc6cun6tcnia._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260115-zfy82adv9b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Badlisted process makes network request
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/533a79d9-ef0a-4dbd-8d98-273d5152810a
Unpacked files
SH256 hash:
4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350
MD5 hash:
f176b4b5967a9bc7b41cdf6976d7a180
SHA1 hash:
3df81eab4d40cb86e367a43e1a71678a85241ab7
Link:
https://www.unpac.me/results/1aac008d-3bf2-41d9-a19b-eb7321fd9790/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4228e040d053/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4228e040d053a0158fb70157c73d72fc7402633c7fc6014cdd50bc2a37d31350

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/49046/

Comments